I’ve often been asked by customers, “How does auto-enrollment work and under what circumstances will renewals, replacement, revocation, and updates happen?”
First, auto-enrollment does not happen automatically. Group policy must be set to allow clients to auto-enroll and the types of auto-enrollment allowed. Next, that policy must be pushed out to all of the clients in the domain. Lastly, the certificate authority registered to that domain must have the templates issued for the certificates to be auto-enrolled. These include machine/computer, domain controller, and user certificates.
In a normal environment, the auto-enroll will start happening within minutes. Most environments are not normal. Replication has to take place and the GPO has to update. Client machines will then try to update on a periodic basis. The period is around every 8 hours unless changed by policy.
Now comes the tricky part. Once machines have certificates, they have to be updated, renewed, revoked, or replaced.
If an auto-enroll template is modified, this will trigger a new certificate being obtained from the CA. The current certificate will remain in the machine store until the new certificate is issued and then it will be deleted (this is controlled by policy and can be changed).
If the current certificate is revoked, then the client will try to get a new certificate at the next available period once it realizes the certificate has been revoked.
Replacement is a little trickier. If you bring up a new CA and want to switch over the auto-enrollment to that CA, the current certificates will not automatically be re-enrolled. Since the current certificate is still valid, it will wait for the renewal period to replace the certificate. Since the old CA will not be decommissioned and CRLs continued to be published, this could be a lengthy period.
Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.
First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. SO this would happen during the renewal period.
If the validity period is 6 months, the 80% mark would be week 21, but the renewal period would begin week 20.
It all seems simple enough, but very confusing at times.